A popular antivirus software for Windows computers made them vulnerable to being hacked.

A security hole in Trend Micro meant that any PCs running its antivirus software could be hijacked, infected with malware, wiped clean and have its stored passwords stolen -- even if they were encrypted. Trend Micro has now issued a security patch for the flaw, which was contained in the password manager of the antivirus package. Users should update the software as soon as possible.

Advertisement

Tavis Ormandy, of Google Project Zero -- an assembled team of security researchers whose mission is to track down and resolve security holes in the world's software -- discovered the design flaw. Ormandy posted his findings to the Google Security Research blog, urging that Trend Micro "should be paging people to get this fixed." "I don't even know what to say -- how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote in one of a series of emails -- repeated on the blog -- to Trend Micro after finding the vulnerability. "You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

One of Ormandy's findings was that any webpage could run commands directly onto PCs that had the flawed software installed. Such commands include wiping the computer, downloading and installing malware onto it, and uninstalling the Trend Micro antivirus software.

Digging further into the Trend Micro Password Manager, Ormandy discovered that a malicious script could steal all passwords stored in the browser, even if they were encrypted. Ormandy warned Trend Micro that it needed to hire a cybersecurity professional. "This means anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction," Ormandy wrote in another email to Trend Micro. "In my opinion, you should temporarily disable this feature for users, then hire an external consultancy to audit the code." "The worst thing you can do is leave users exposed while you clean this thing up," he continued.

Advertisement

Google's Project Zero gives companies 90 days to fix problems before releasing its findings to the public. Trend Micro patched up the vulnerability within a week. A new version of the antivirus software is now available.

Trend Micro published a blog about the vulnerability after it had released the mandatory update. "The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," Christopher Budd, global threat communications at Trend Micro, wrote in the post. "We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week. We are not aware of any active attacks against these vulnerabilities in that time."